Update push.yml to java-version: "17.0"

[palisadoes]

Describe the bug

In a recent PR, we upgraded packages that required an upgrade in the java version of the application. We updated our Pull Request testing workflow, but not the Push workflow that deploys the APK.

To Reproduce
Steps to reproduce the behavior:

1. https://github.com/PalisadoesFoundation/talawa/pull/2671/files

Expected behavior

• The push workflow file push.yml is updated to the new Java version and passes.
• This may only be testable after merging the related PR

Actual behavior

• See above

Screenshots

• N/A

Additional details

• N/A
  Potential internship candidates

Please read this if you are planning to apply for a Palisadoes Foundation internship

• Student Internship Programs #359

[may-tas]

@palisadoes making a PR rn.

[palisadoes]

@may-tas

What is causing this error? The pushes are failing in another way now:

• https://github.com/PalisadoesFoundation/talawa/actions/runs/12527917558/job/34941965288

[may-tas]

@may-tas

What is causing this error? The pushes are failing in another way now:

• https://github.com/PalisadoesFoundation/talawa/actions/runs/12527917558/job/34941965288

I'll take a look

[may-tas]

@palisadoes The issue is that I did not include pubspec.lock file in the PR, and it changes whenever pub get is used.
So the workflow is doing pub get and the PR pubspec.lock branch is not matching with the updated pubspec.lock

See this is the issue while running pub get in workflow :

[may-tas]

@palisadoes I will make a PR updating pubspec.lock and that should fix this.

[palisadoes]

OK

[palisadoes]

How can we test for this in future as part of the GitHub action workflow?

[may-tas]

How can we test for this in future as part of the GitHub action workflow?

@palisadoes
We can do this in two ways :

1. First (Automated) :

• we can automate fixing it by running git add pubspec.lock && git commit -m "Update pubspec.lock" directly in the workflow if we want the workflow to handle minor issues itself.

2. Second :

• We can add a check for it in the push.yml to verify that there are no uncommitted changes to the pubspec.lock file after running pub get.
• This step should be added after the pub get command but before any further steps that depend on the resolved dependencies.
• The workflow will now fail if pubspec.lock is not committed after dependency changes, prompting contributors to fix it before merging.

[palisadoes]

Please add those steps

[may-tas]

which one ?

[may-tas]

Automated one? or 2nd

[palisadoes]

Automated.

[Dante291]

@may-tas it should work for both, yaml and lock files.

[may-tas]

Is this okay?

jobs:

  Flutter-Codebase-Check:
    if: ${{ github.actor != 'dependabot[bot]' }}
    name: Checking Codebase
    runs-on: ubuntu-latest
    permissions:
      contents: write.       # Added this
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}     # Added this
      - uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: '17.0'
      - uses: subosito/flutter-action@v2
        with:
          flutter-version: '3.22.3'
          channel: 'stable'
      - name: Running pub get in talawa_lint
        run: cd talawa_lint && flutter pub get && cd ..
      - name: Running pub get to fetch dependencies
        run: flutter pub get
      - name: Check and commit pubspec.lock changes   # Added this
        run: |
          if [[ `git status --porcelain pubspec.lock` ]]; then
            echo "Changes detected in pubspec.lock. Auto-committing updates."
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add pubspec.lock
            git commit -m "Automated update of pubspec.lock"
            git push
          else
            echo "No changes in pubspec.lock."
          fi
      - name: Checking for correct formatting of code
        run: dart format --set-exit-if-changed .
       
        Rest is same

[may-tas]

@may-tas it should work for both, yaml and lock files.

@Dante291 But yaml does not changes during pub get , it will only retrieve the dependencies written in yaml files, but during pub get lock files change as sometimes their content-hashes are changed.

[may-tas]

@palisadoes I am a bit new to github workflows so do tell me if there is any issue here.

Is this okay?

jobs:

  Flutter-Codebase-Check:
    if: ${{ github.actor != 'dependabot[bot]' }}
    name: Checking Codebase
    runs-on: ubuntu-latest
    permissions:
      contents: write.       # Added this
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}     # Added this
      - uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: '17.0'
      - uses: subosito/flutter-action@v2
        with:
          flutter-version: '3.22.3'
          channel: 'stable'
      - name: Running pub get in talawa_lint
        run: cd talawa_lint && flutter pub get && cd ..
      - name: Running pub get to fetch dependencies
        run: flutter pub get
      - name: Check and commit pubspec.lock changes   # Added this
        run: |
          if [[ `git status --porcelain pubspec.lock` ]]; then
            echo "Changes detected in pubspec.lock. Auto-committing updates."
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add pubspec.lock
            git commit -m "Automated update of pubspec.lock"
            git push
          else
            echo "No changes in pubspec.lock."
          fi
      - name: Checking for correct formatting of code
        run: dart format --set-exit-if-changed .
       
        Rest is same

[Dante291]

we can create temporary branch to stash any changes too like how we doing in pull-request.yml workflow

• name: Run check_ignore
  run: |
  git branch
  git checkout -b temp_branch
  git branch
  git stash push -m lock_file pubspec.lock
  git checkout develop
  git pull
  git branch
  git diff --name-only develop..HEAD
  git checkout temp_branch
  pip install GitPython
  python ./.github/workflows/check_ignore.py --repository ${{github.repository}} --merge_branch_name ${{github.head_ref}}

@may-tas this will fix this issue I think

[may-tas]

we can create temporary branch to stash any changes too like how we doing in pull-request.yml workflow

• name: Run check_ignore
  run: |
  git branch
  git checkout -b temp_branch
  git branch
  git stash push -m lock_file pubspec.lock
  git checkout develop
  git pull
  git branch
  git diff --name-only develop..HEAD
  git checkout temp_branch
  pip install GitPython
  python ./.github/workflows/check_ignore.py --repository ${{github.repository}} --merge_branch_name ${{github.head_ref}}

@may-tas this will fix this issue I think

@Dante291 yes I saw this in pull-request.yml , this is also a good way.

[may-tas]

@palisadoes
What is your take on this ? which approach should be followed ?

[palisadoes]

1. Use the approach we are using in pull-request.yml
2. I think pubspec.lock is being checked as a sensitive file. You'll need to make sure that this is adjusted accordingly
3. Try to see how the PR branch is auto-detected and use that value always.

[may-tas]

@palisadoes I think currently the approach we are using in pull-request.yml is not sufficient because we are only stashing the changes and not applying it back and committing it.

• This is the reason it passes pull-request.yml workflow as the changes after doing pub get were not applied and hence we had a problem in push workflow.

• we can instead just make a commit if pubspec.lock has any changes like this after running flutter pub get :

      - name: Running pub get to fetch dependencies
        run: flutter pub get
      - name: Check and commit pubspec.lock changes   # Added this
        run: |
          if [[ `git status --porcelain pubspec.lock` ]]; then
            echo "Changes detected in pubspec.lock. Auto-committing updates."
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add pubspec.lock
            git commit -m "Automated update of pubspec.lock"
            git push
          else
            echo "No changes in pubspec.lock."
          fi

• One more thing , we are using this currently :

      - name: Run check_ignore
        run: |
          git branch
          git checkout develop
          git pull
          git branch
          git checkout -
          pip install GitPython
          python ./.github/workflows/check_ignore.py --repository ${{github.repository}} --merge_branch_name ${{github.ref_name}}

• we are currently by default on develop-postgres in push workflow and then it switches to develop branch and pulls any changes there.
• why is this step necessary as we are only making changes in the develop-postgres and checking out develop here is redundant.

[may-tas]

• Also this issue is only for pubspec.lock file because that is the only file which could change after doing flutter pub get, So we should just handle it separately.

[palisadoes]

@noman2002 PTAL

[may-tas]

@palisadoes what should be done, any updates?

[palisadoes]

@noman2002 PTAL

[noman2002]

@may-tas I think we should make a commit if there is any change in pubspec.lock, but we need to add some checks that more than 1 package should not be upgraded in a single PR.

[may-tas]

@noman2002 Most contributors won't be including pubspec.lock file in their PR, so if content-hashes of pubspec.lock change during pub get, which happens rarely , it shouldn't be an issue to make a commit directly.

I did not understand what type of check you are talking about. Can you please elaborate a bit?

[may-tas]

@noman2002 @palisadoes

[may-tas]

Shall I go ahead and make a PR with the changes proposed to the workflow?

[noman2002]

Yes please go ahead.

[may-tas]

Please close this issue if it's resolved, so I can work on new tasks. If there are any concerns, please let me know.

[palisadoes]

@may-tas @noman2002

This needs to be reopened. Your push doesn't add the file to the commit with a -a flag. Therefore the push will always pass. I was wondering how this was working without changes to the branch protection rules.

Please try again. I'm going to revert your changes to push.yml

1. File:
   1. https://github.com/PalisadoesFoundation/talawa/pull/2701/files#diff-f3fc934cf0d89bdf07de358896ff90f1202585df812cf606206d1830a9949811
2. Screenshot
   

[may-tas]

Hi @palisadoes,
I apologize for missing this in my initial PR.
I understand your point - the previous workflow could pass with empty commits in case git add fails and modified files aren't properly staged.
I'll make a new PR and use git commit -a -m "Automated update of pubspec.lock" to ensure any changes to tracked files are automatically staged and committed.

[palisadoes]

1. Did you see this? It shows how to do commits to an existing PR
   1. https://github.com/actions/checkout#push-a-commit-using-the-built-in-token
   2. It says that the user should be:
      1. {user.id}+{user.login}@users.noreply.github.com

[may-tas]

@palisadoes Oh I see.
we need to update email format to use the official GitHub Actions bot ID format:

git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

[may-tas]

      - name: Check and commit pubspec.lock changes
        run: |
          if [[ $(git status --porcelain pubspec.lock) ]]; then
            echo "Changes detected in pubspec.lock. Auto-committing updates."
            git config user.name "github-actions[bot]"
            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
            git add pubspec.lock
            git commit -a -m "Automated update of pubspec.lock"
            git push
          else
            echo "No changes in pubspec.lock."
          fi

I think this would be fine.

[palisadoes]

In the PR workflow? If it's in the push workflow it'll be too late, we'll have to keep monitoring for failures after merging. It's always best to do this during the PR.

Fixing this in the push is the least desirable option

[may-tas]

Yeah we can do this in the PR workflow instead of push workflow.
Previously we were stashing the changes there, we can add this auto-commit check there.

[may-tas]

@palisadoes
I'll be adding this in the pull-request.yml

      - name: Check and commit pubspec.lock changes
        run: |
          if [[ $(git status --porcelain pubspec.lock) ]]; then
            echo "Changes detected in pubspec.lock. Auto-committing updates."
            git config user.name "github-actions[bot]"
            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
            git add pubspec.lock
            git commit -a -m "Automated update of pubspec.lock"
            git push origin HEAD:${{ github.head_ref }}
          else
            echo "No changes in pubspec.lock."
          fi

I also came across this :
I think this would be a better way to push to the PR branchgit push origin HEAD:${{ github.head_ref }}

[palisadoes]

Create a PR